1Defensive ProgrammingDawn [email protected]• Attackers will exploit any and all flaws!– Buffer overruns, format string usage errors, implicit casting, TOCTTOU, …• Trusted Computing Base (TCB)– System portion(s) that must operate correctly for system security goals to be assured3Goals for Today• Three principles in crypto design– Conservative Design, Kerkhoff’s Principle, Proactively Study Attacks• Principles for building secure systems– 13 other principles– Principles are neither necessary nor sufficient to ensure a secure system design, but they are often very helpful– Goal is to explore what you can do at design time to improve security4Three Principles in Crypto Design• Three principles widely accepted in crypto community that seem useful in computer security– Conservative Design– Kerkhoff’s Principle– Proactively Study Attacks51. Conservative Design• Systems should be evaluated according to worst plausible security failure, under assumptions favorable to attacker• If you find such circumstance where the system can be rendered insecure, then you should seek a more secure system62. Kerkhoff’s Principle• Cryptosystems should remain secure even when the attacker knows all internal details of the system• The key should be the only thing that must be kept secret• If your secrets are leaked, it is a lot easier to change the key than to change the algorithm73. Proactively Study Attacks• We must devote considerable effort to trying to break our own systems– How we can gain confidence in their security• Other reasons:– In security game, attacker gets last move– Very costly if a security hole is discovered after wide system deployment• Pays to try to identify attacks before bad guys find them– Gives us lead time to close security holes before they are exploited in the wild8Principles for Secure Systems• General principles for secure system design– Many drawn from a classic 1970s paper by Saltzer and Schroeder• 1. Security is Economics– No system is 100% secure against all attacks» Only need to resist a certain level of attack» No point buying a $10K firewall to protect $1K worth of trade secrets– Often helpful to quantify level of effort an attacker would expend to break the system.– Adi Shamir once wrote, “There are no secure systems, only degrees of insecurity”» A lot of the science of computer security comes in measuring the degree of insecurity9Economics Analogy• Safes come with a security level rating• Consumer-grade safe:– Rated to resist attack for up to 5 minutes by anyone without tools• High-end safe might be rated TL-30– Secure against burglar with safecracking tools and less than 30 minutes access – We can hire security guards with a less than 30 minute response time to any intrusion10Corollary of This Principle• Focus your energy on securing weakest links– Security is like a chain: it is only as secure as the weakest link– Attackers follow the path of least resistance, and will attack system at its weakest point• No point in putting an expensive high-end deadbolt on a screen door– Attacker isn’t going to bother trying to pick the lock when he can just rip out the screen and step through!112. Least Privilege• Minimize how much privilege you give each program and system component– Only give a program the minimum access privileges it legitimately needs to do its job• Least privilege is a powerful approach– Doesn’t reduce failure probability, but can reduce expected cost of failures• Less privilege a program has, less harm it can do if it goes awry or runs amok– Computer-age version of shipbuilder’s notion of “watertight compartments”:» Even if one compartment is breached, we minimize damage to rest of system’s integrity12Principle of Least Privilege Examples• Can help reduce damage caused by buffer overruns or other program vulnerabilities– Intruder gains all the program’s privileges– Fewer privileges a program has, less harm done if it is compromised• How is Unix in terms of least privilege?– Answer: Pretty lousy!– Program gets all privileges of invoking users– I edit a file and editor receives all my user account’s privileges (read, modify, delete)• Strictly speaking editor only needs access to file being edited to get job done13Principle of Least Privilege Examples• How is Windows in terms of least privilege?– Answer: Just as lousy!– Arguably worse, as many users run as Administrator and many Windows programs require Administrator access to run• Every program receives total power over the whole computer!!• Microsoft’s security team recognizes this risk– Advice: Use limited privilege account and “Run As…”143. Use Fail-Safe Defaults• Use default-deny polices– Start by denying all access, then allow only that which has been explicitly permitted• Ensures that if security mechanisms fail or crash, default will be secure behavior• Example: Packet filter is a router– Failure means no packets will be routed» Fail-safe behavior– Fail-open behavior much more dangerous » Attacker just waits for packet filter to crash (or induces crash) and then the fort is wide open!15Non-Fail-Safe Defaults Examples• SunOS machines used to ship with + in /etc/hosts.equiv file– Allowed anyone with root access on any machine on the Internet to log into your machine as root• Irix machines used to ship with xhost +in their X Windows configuration files– Allowed anyone to connect to Xserver164. Separation of Responsibility• Split up privilege– No one person or program has complete power– Require more than one party to approve before access is granted• Two-party rule examples– Movie theater: pay teller and get ticket stub, then separate employee tears ticket in half, collects a half of it and puts it in lockbox» Helps prevent insider fraud (under-/over-charge)– Most companies: purchases over certain amount must be approved by both requesting employee and a purchasing officer» Helps prevent insider fraud in vendor choice17Nuclear Two-Party Rule• Minuteman nuclear missile launch control ctr– Underground control of ten nuclear missiles– Two launch officers must agree to launch missiles– Five control ctrs for squadron of 50 missiles• Decommissioned center preserved at Whiteman AFB, Missouri185. Defense in Depth• A closely related principle–“You can recognize a security guru
View Full Document
Unlocking...